
	
		II
		109th CONGRESS
		2d Session
		S. 3454
		IN THE SENATE OF THE UNITED STATES
		
			June 6, 2006
			Mr. Brownback (for
			 himself and Mr. Talent) introduced the
			 following bill; which was read twice and referred to the
			 Committee on
			 Finance
		
		A BILL
		To amend the Internal Revenue Code of 1986 to improve the
		  exchange of healthcare information through the use of technology, to encourage
		  the creation, use and maintenance of lifetime electronic health records that
		  may contain health plan and debit card functionality in independent health
		  record banks, to use such records to build a nationwide health information
		  technology infrastructure, and to promote participation in health information
		  exchange by consumers through tax incentives and for other
		  purposes.
	
	
		1.Short
			 titleThis Act may be cited as
			 the Independent Health Record Bank Act
			 of 2006.
		2.PurposesIt is the purpose of this Act to provide for
			 the establishment of a nationwide health information technology network
			 to—
			(1)improve
			 healthcare quality, reduce medical errors, increase the efficiency of care, and
			 advance the delivery of appropriate, evidence-based healthcare services;
			(2)promotes the
			 wellness, disease prevention, and management of chronic illnesses by increasing
			 the availability and transparency of information related to the healthcare
			 needs of an individual;
			(3)ensure that
			 appropriate information necessary to make medical decisions is available in a
			 usable form at the time and in the location that the medical service involved
			 is provided;
			(4)produces greater
			 value for healthcare expenditures by reducing healthcare costs that result from
			 inefficiency, medical errors, inappropriate care, and incomplete
			 information;
			(5)promotes a more
			 effective marketplace, greater competition, greater systems analysis, increased
			 choice, enhanced quality, and improved outcomes in healthcare services;
			(6)improve the
			 coordination of information and the provision of such services through an
			 effective infrastructure for the secure and authorized exchange and use of
			 healthcare information; and
			(7)ensure that the
			 confidentiality of individually identifiable health information of a patient is
			 secure and protected.
			3.DefinitionsIn this Act:
			(1)AccountThe
			 term account means an electronic health record of an individual
			 contained in an independent health record bank.
			(2)Electronic
			 health recordThe term electronic health record
			 means a longitudinal collection of personal health information concerning a
			 single individual, entered or accepted by healthcare providers, and stored
			 electronically.
			(3)Healthcare
			 entityThe term healthcare entity includes
			 healthcare consumers, providers, and payers, government agencies,
			 pharmaceutical companies, laboratories, and research institutes.
			(4)HIPAAThe
			 term HIPAA means the regulations under section 264(c) of the
			 Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1320d–2
			 note).
			(5)Individually
			 identifiable health informationThe term individually
			 identifiable health information has the meaning given such term in
			 section 1171(6) of the Social Security Act (42 U.S.C. 1320d(6)).
			(6)Nonidentifiable
			 health informationThe term nonidentifiable health
			 information means any list, description or other grouping of consumer
			 information (including publicly available information pertaining to them) that
			 is derived without using personally identifiable information that is not
			 publicly available.
			(7)Partially
			 identifiable health informationThe term partially
			 identifiable health information means any list, description, or other
			 grouping of consumer information (and publicly available information pertaining
			 to them) derived using any personally identifiable information that is not
			 publicly available.
			(8)Protected
			 health informationThe term protected health
			 information shall have the meaning given such term for purposes of
			 HIPAA.
			(9)SecretaryThe
			 term Secretary means the Secretary of Commerce.
			4.Independent
			 health record banks
			(a)PurposeIt
			 is the purpose of this section to provide for the establishment of independent
			 health record banks to achieve a savings of money and lives in the healthcare
			 system through—
				(1)the creation and
			 storage of lifetime individual electronic health records for individuals that
			 may contain health plan and debit card functionality and that serves the
			 interests of all healthcare entities;
				(2)the utilization
			 of technological infrastructure with the goal of connecting health records to
			 build a national health information network;
				(3)the provision of
			 health information data sets, within distinct authorization boundaries, based
			 on usage needs, including—
					(A)the sale of
			 approved data for research and other consumer purposes as provided for under
			 section 6(b);
					(B)the provision of
			 data for emergency healthcare as provided for under section 6(c); and
					(C)the provision of
			 data for all other healthcare needs determined appropriate by the Secretary (in
			 accordance with the protections provided for under section 6);
					(4)the offering of
			 incentives to employers that face rising employee health costs, to encourage
			 employee participation in independent health record banks; and
				(5)the creation of a
			 source of tax-free income to support the operations of the independent health
			 record banks, and, through revenue sharing, to provide incentives to
			 independent health record bank account holders, healthcare providers, and fee
			 payers to contribute health information.
				(b)Establishment
				(1)In
			 generalNot later than 1 year after the date of enactment of this
			 Act, the Secretary shall prescribe standards for the establishment and
			 certification of independent health record banks to carry out the purposes
			 described in subsection (a).
				(2)Requirement of
			 non-profit entityThe standards under paragraph (1) shall permit
			 a non-profit entity to establish an independent health record bank as a
			 cooperative entity that operates for the benefit and in the interests of the
			 membership of the bank as a whole. Such bank shall be owned and controlled by
			 its members.
				(3)For-profit
			 entitiesA for-profit entity may not participate in the
			 establishment and operation of an independent health record bank, except to the
			 extent that such entity is by contract employed to assist in carrying out the
			 operations of the bank.
				(4)Treatment as
			 covered entity for purposes of HIPAATo the extent that an
			 independent health record bank (or associated vendor) is engaged in
			 transmitting protected health information, the bank shall be considered to be a
			 covered entity for purposes of HIPAA with respect to such information.
				(c)Membership
				(1)In
			 generalTo be eligible to be a member of an independent health
			 record bank, an individual shall obtain or have obtained a product or service
			 from a covered entity that is to be used primarily for personal, family, or
			 household purposes, or that individual's legal representative.
				(2)No limitation
			 on membershipNothing in this subsection shall be construed to
			 permit an independent health record bank to restrict membership.
				(d)Rights relating
			 to information in the bank
				(1)Individual
			 consumers
					(A)General
			 rightAn individual who has a health record contained in an
			 independent health record bank shall maintain ownership over the entire health
			 record and shall have the right to review the contents of the record in its
			 entirety at any time during the normal business operating hours of the
			 bank.
					(B)Additional
			 information and limitationAn individual described in
			 subparagraph (A) may add personal health information to the health record of
			 that individual, except that such individual shall not alter or falsify
			 information that is entered into the health record by another healthcare
			 entity. Such an individual shall have the right to propose an amendment to such
			 information pursuant to standards prescribed by the Secretary relating to the
			 correction of information contained in a health record.
					(2)Other
			 healthcare entitiesA healthcare entity (other than an
			 individual) shall serve as the custodian of only that information that has been
			 added by such entity to the health record of an individual that is maintained
			 by an independent health record bank. Such entity may be permitted to have
			 access to other specified information contained in such health record
			 (including the entire record if appropriate) if such access is granted by the
			 independent health record bank and the individual involved (pursuant to
			 standards prescribed by the Secretary relating to access to
			 information).
				(e)Financing of
			 activities
				(1)In
			 generalAn independent health record bank may generate revenue to
			 pay for the operations of the bank through—
					(A)charging
			 healthcare entities, including individual account holders, account fees for use
			 of the bank;
					(B)the sale of
			 nonidentifiable and partially identifiable health information contained in the
			 bank for research purposes (as provided for in section 6(b)); and
					(C)the conduct of
			 any other activities determined appropriate by the Secretary.
					(2)Sharing of
			 revenueRevenue derived under paragraph (1)(B) shall be shared
			 with independent health record bank account holders, and may be shared with
			 healthcare providers and payers, in accordance with this Act.
				(3)Treatment of
			 incomeFor purposes of the Internal Revenue Code of 1986, any
			 revenue described in this subsection shall not be included in gross income of
			 any independent health record bank, independent health record bank account
			 holder, healthcare provider, or payer described in this subsection.
				5.Healthcare
			 clearinghouse activities
			(a)Application of
			 sectionThis section shall apply to an independent health record
			 bank (and associated vendors) with respect to activities undertaken by such
			 bank in operating as a health care clearinghouse (as such term is defined in
			 section 1171(2) of the Social Security Act (42 U.S.C. 1329d(2)).
			(b)Accreditation
				(1)In
			 generalTo be eligible to carry out clearinghouse activities
			 under this section, an independent health record bank (and associated vendors
			 performing clearinghouse functions) shall be accredited by a national standards
			 development organization, utilizing the criteria described in paragraph (2),
			 that is properly authenticated and registered with the Attorney General and the
			 Federal Trade Commission pursuant to the provisions of the National Cooperation
			 Research and Production Act of 1993 (15 U.S.C. 4301 et seq.).
				(2)CriteriaThe
			 criteria to be used by a national standards development organization in the
			 accreditation of an independent health record bank under this section shall be
			 designed to measure the competency, assets, practices, and procedures of the
			 bank for purposes of conducting clearinghouse activities. Such criteria shall
			 include—
					(A)the technical
			 capacity and electronic facilities of the bank for the receipt, transmission,
			 and handling of electronic health information transactions;
					(B)the ability of
			 the bank to process transactions to which HIPAA applies;
					(C)the backup and
			 disaster recovery plans and capacity of the bank;
					(D)the privacy
			 practices, procedures, and employee training programs of the bank consistent
			 with HIPAA; and
					(E)the security
			 practices, procedures, and employee training programs of the bank consistent
			 with HIPAA, including compliance with the HIPAA security rule that protected
			 health information must only be viewable by the intended recipient.
					(3)Existing
			 clearinghousesAn independent health record bank operated by an
			 entity that has been certified under part C of title XI of the Social Security
			 Act (42 U.S.C. 1320d et seq.) as a health care clearinghouse prior to the date
			 of enactment of this Act shall be considered to be accredited for purposes of
			 paragraph (1).
				(c)Information
			 requirementAn independent health record bank acting as a health
			 care clearinghouse under this section shall ensure that reporting services are
			 provided to individual consumers in a manner that includes the provision of
			 lists of individuals or organizations that have accessed the health record
			 account of the consumer or to whom health information disclosures concerning
			 the consumer have been made in accordance with the requirements of
			 HIPAA.
			6.Availability and
			 use of healthcare information in bank
			(a)General
			 ruleExcept as provided in this section, access to specified
			 sections of, or an entire, electronic health record maintained by an
			 independent health record bank concerning an individual shall only be provided
			 with the prior authorization of the individual involved, as authenticated as
			 provided for under the standards prescribed by the Secretary under section
			 8.
			(b)Availability of
			 data for research and other activitiesAn independent health
			 record bank may sell nonidentifiable and partially identifiable health
			 information concerning and individual only if—
				(1)the bank and the
			 individual involved agree to the sale;
				(2)the agreement
			 provided for under paragraph (1) includes parameters with respect to the
			 disclosure of information involved and a process for the authorization of the
			 further disclosure of partially identifiable health information;
				(3)the data involved
			 is to be used for research or other activities only as provided for in the
			 agreement under paragraph (1);
				(4)the data involved
			 does not identify the individual who is the subject of the data;
				(5)the revenue to be
			 derived from the sale of the data is collected by the bank and equally divided
			 between the bank and the individual involved, except that revenue may also be
			 distributed to healthcare providers and payers as incentives to contribute
			 additional data to the bank; and
				(6)the transaction
			 otherwise meets the requirements and standards prescribed by the
			 Secretary.
				(c)Availability of
			 data for emergency healthcare
				(1)FindingsCongress
			 finds that—
					(A)given the size
			 and nature of visits to emergency departments in the United States, readily
			 available health data could make the difference between life and death;
			 and
					(B)due to the case
			 mix and volume of patients treated, emergency departments are well positioned
			 to provide data for public health surveillance, community risk assessment,
			 research, education, training, quality improvement, and other uses.
					(2)Use of
			 dataAn independent health record bank may permit healthcare
			 providers to access, during an emergency department visit, a limited,
			 authenticated data set concerning an individual for emergency response purposes
			 without the prior consent of the individual. Such limited data may
			 include—
					(A)patient
			 identification data, as determined appropriate by the individual
			 involved;
					(B)provider
			 identification that includes the use of a unique provider identifiers as
			 provided for in section 1173 of the Social Security Act (42 U.S.C.
			 1320d–2);
					(C)payment
			 data;
					(D)arrival and first
			 assessment data;
					(E)data related to
			 the individual's vitals, allergies, and medication history;
					(F)data related to
			 existing chronic problems and active clinical conditions of the individual;
			 and
					(G)data concerning
			 physical examinations, procedures, results, and diagnosis data relating to the
			 visit.
					(d)Effect on
			 HIPAANothing in this Act shall be construed to affect the scope,
			 substance, or applicability of the part C of title XI of the Social Security
			 Act (42 U.S.C. 1320d et seq.) or HIPAA as such relates to individually
			 identifiable health information maintained in an independent health record
			 bank.
			7.Application of
			 Federal and State security and confidentiality standards
			(a)In
			 generalExisting Federal security and confidentiality standards
			 and State security and confidentiality laws shall apply to this Act (and the
			 amendments made by this Act) until such time as Congress acts to amend such
			 standards.
			(b)Provision of
			 information and informational provision
				(1)Designation of
			 agencyEach State with an independent health records bank
			 operating in the State shall designate a State agency to be responsible for
			 addressing complaints by residents of the State with respect to health records
			 contained in the bank.
				(2)Provision of
			 informationAn independent health record bank operating in a
			 State shall provide the State authority designated under paragraph (1) with an
			 informational filing that describes the policies of the bank, the types of
			 information sold by the bank, and other relevant information determined
			 appropriate by such authority.
				(3)InformationAn
			 individual who has a health record maintained by an independent health record
			 bank shall direct any concerns, problems, or questions related to such record
			 directly to the appropriate State authority.
				(c)DefinitionsFor
			 purposes of this section:
				(1)State security
			 and confidentiality lawsThe
			 term State security and confidentiality laws means State laws and
			 regulations relating to the privacy and confidentiality of individually
			 identifiable health information or to the security of such information.
				(2)Current Federal
			 security and confidentiality standardsThe term current Federal security and
			 confidentiality standards means the Federal privacy standards
			 established pursuant to section 264(c) of the Health Insurance Portability and
			 Accountability Act of 1996 (42 U.S.C. 1320d–2 note) and security standards
			 established under section 1173(d) of the Social Security Act.
				(3)StateThe
			 term State has the meaning given such term when used in title XI
			 of the Social Security Act, as provided under section 1101(a) of such Act (42
			 U.S.C. 1301(a)).
				8.Regulatory
			 oversight
			(a)In
			 generalIn carrying out this Act, the Secretary, acting through
			 the Under Secretary for Technology or other appropriate official, shall—
				(1)develop a program
			 to certify entities to operate independent health record banks;
				(2)provide
			 assistance to encourage the growth of independent health record banks;
				(3)track economic
			 progress as it pertains to independent health records bank operators and
			 individuals receiving non-taxable income with respect to accounts;
				(4)conduct public
			 education activities regarding the creation and usage of the independent health
			 records banks;
				(5)establish an
			 interagency council under subsection (b) to develop standards for Federal
			 security auditing for entities operating independent health record banks;
			 and
				(6)carry out any
			 other activities determined appropriate by the Secretary.
				(b)Interagency
			 council for security auditing
				(1)In
			 generalThe Secretary, in consultation with the Secretary of
			 Health and Human Services and other appropriate Federal officials, shall
			 establish an interagency council to develop standards for Federal security
			 auditing as it relates to data security, authentication, and authorization
			 recommendations, and reviews of independent health record banks.
				(2)DutiesThe
			 interagency council established under paragraph (1) shall take into
			 consideration the following factors when developing recommendations for
			 security, authentication, and authorization of data in independent health
			 record banks:
					(A)The number and
			 type of factors used for the exchange of protected health information.
					(B)Requiring that
			 individuals, who have health records that are maintained by the bank, be
			 notified of a security breech with respect to such records, and any corrective
			 action taken on behalf of the individual.
					(C)Requiring that
			 information sent to, or received from, an independent health record bank that
			 has been designated as high-risk should be authenticated through the use of
			 methods such as the periodic changing of passwords, the use of biometrics, the
			 use of tokens or other technology as determined appropriate by the
			 council.
					(D)Recommendations
			 for entities operating independent health record banks, including requiring
			 analysis of the potential risk of health transaction security breeches based on
			 set criteria.
					(E)The conduct of
			 audits of independent health record banks to ensure that they are in compliance
			 with the requirements and standards established under this Act.
					(3)Compliance
			 reportThe interagency council established under this subsection
			 shall annually submit to the Secretary a report on compliance by independent
			 health record banks with the requirements and standard under this Act. Such
			 report shall be included in the report required under subsection (d).
				(c)Interagency
			 memorandum of understandingThe Secretary and the Secretary of
			 Health and Human Services, and other Federal officials that may be impacted by
			 this Act, shall ensure, through the execution of an interagency memorandum of
			 understanding among such Secretaries, that—
				(1)regulations,
			 rulings, and interpretations issued by such Secretaries or officials relating
			 to the same matter over which 2 or more such Secretaries or officials have
			 responsibility under this Act are administered so as to have the same effect at
			 all times; and
				(2)coordination of
			 policies relating to enforcing the same requirements through such Secretaries
			 or officials in order to have coordinated enforcement strategy that avoids
			 duplication of enforcement efforts and assigns priorities in
			 enforcement.
				(d)Annual
			 reportNot later than 1 year after the date of enactment of this
			 Act, and annually thereafter, the Secretary, acting through the Under Secretary
			 for Technology, shall submit to Committee on Health, Education, Labor, and
			 Pensions and the Committee on Finance of the Senate and the Committee on Energy
			 and Commerce and the Committee on Ways and Means of the House of
			 Representatives, a report that—
				(1)describes
			 individual owner or institution operator economic progress as achieved through
			 independent health record bank usage and existing barriers to such
			 usage;
				(2)describes
			 progress in security auditing as provided for by the interagency security
			 council under subsection (b); and
				(3)contains
			 information on the other core responsibilities of the Secretary as described in
			 subsection (a).
				9.Penalties for
			 fraud and abuseThe penalties
			 provided for in section 1177(b) of the Social Security Act (42 U.S.C. 1320d–6)
			 shall apply to the wrongful disclosure of information collected, maintained, or
			 made available by an independent health record bank under this Act, including
			 disclosures by any employees or associates of any such bank or other healthcare
			 entity using or disclosing such information.
		10.Tax credit for
			 employer-provided employee independent health record bank account fees
			(a)Allowance of
			 creditSubpart D of part IV of subchapter A of chapter 1 of the
			 Internal Revenue Code of 1986 (relating to business related credits) is amended
			 by adding at the end the following new section:
				
					45N.Employer-provided
				employee independent health record bank account fees
						(a)Determination
				of amountFor purposes of section 38, the independent health
				record bank account investment credit determined under this section with
				respect to any taxpayer for any taxable year is an amount equal to the
				independent health record bank account investment provided by such taxpayer
				during the taxable year.
						(b)Independent
				health record bank account investmentFor purposes of this
				section, the term independent health record bank account
				investment means, with respect to each employee of the taxpayer for any
				taxable year, an amount equal to the lesser of—
							(1)50 percent of the
				cost for such employee to maintain an independent health record bank account
				paid by the taxpayer during the taxable year, or
							(2)$50.
							(c)Independent
				health record bank accountFor purposes of this section, the term
				independent health record bank account has the meaning given to
				the term account under section 3(1) of the Independent Health
				Record Bank Act of 2006.
						(d)Special
				rulesNo deduction or credit (other than under this section)
				shall be allowed under this chapter with respect to any expense which is taken
				into account under subsection (a) in determining the credit under this
				section.
						(e)Reports
							(1)In
				generalEach taxpayer shall make such reports to the Secretary
				and to employees of the taxpayer regarding—
								(A)independent
				health record bank account investments made with respect to such employee
				during any calendar year, and
								(B)such other
				information as the Secretary may require.
								(2)Time for making
				reportsThe reports required by this subsection—
								(A)shall be filed at
				such time and in such manner as the Secretary prescribes, and
								(B)shall be
				furnished to employees—
									(i)not later than
				January 31 of the calendar year following the calendar year to which such
				reports relate, and
									(ii)in such manner
				as the Secretary prescribes.
									(f)RegulationsThe
				Secretary may prescribe such regulations as may be necessary or appropriate to
				carry out this section.
						(g)Application of
				sectionThis section shall apply with respect to any independent
				health record bank account investments made by the taxpayer for the 5-taxable
				year period beginning with the first taxable year during which such investments
				are made by the
				taxpayer.
						.
			(b)Credit treated
			 as business creditSection 38(b) of the Internal Revenue Code of
			 1986 (relating to current year business credit) is amended by striking
			 and at the end of paragraph (29), by striking the period at the
			 end of paragraph (30) and inserting , plus, and by adding at the
			 end the following new paragraph:
				
					(31)the independent
				health record bank account investment credit determined under section
				45N(a).
					.
			(c)Conforming
			 amendmentThe table of sections for subpart C of part IV of
			 subchapter A of chapter 1 of the Internal Revenue Code of 1986 is amended by
			 adding at the end the following new item:
				
					
						Sec. 45N. Employer-provided employee
				independent health record bank account
				fees.
					
					.
			(d)Effective
			 dateThe amendments made by this section shall apply to taxable
			 years beginning after the date of the enactment of this Act.
			(e)Additional
			 incentive for consumers participating in IHRBRevenue generated
			 by an independent health record bank and received by an account holder,
			 healthcare entity, or healthcare payer shall not be considered taxable income
			 under the Internal Revenue Code of 1986.
			
